+- I Red Team DEV (https://ired.dev)
+-- Forum: Offensive Security (https://ired.dev/forumdisplay.php?fid=3)
+--- Forum: Hot Topics (https://ired.dev/forumdisplay.php?fid=5)
+--- Thread: Poveste: "Mâinile virtuale în spatele ecranului real" (/showthread.php?tid=11)
Poveste: "Mâinile virtuale în spatele ecranului real" - Unix_Root - 06-14-2025
Real Screen"
(How a Screen Sharing Tool Became a Hacker's Window)
⸻
![[Image: 1f4cd.png]](https://static.xx.fbcdn.net/images/emoji.php/v9/t2d/1/16/1f4cd.png){kind=small}
Chapter 1 - Missing ContractA technology company specializing in software development for a major banking company in the ASEAN region. On the day of the project submission, the client's feedback:
"Unfortunately, your opponent came up with a better pricing package - and, strangely enough, understands the entire architecture you proposed."
This company never shared the architecture with anyone except internally.
I was invited to investigate.
⸻
![[Image: 1f50e.png]](https://static.xx.fbcdn.net/images/emoji.php/v9/t42/1/16/1f50e.png){kind=small}
Chapter 2 - No Poison Code, No AttackScan the entire system endpoint, server, email - no ransomware detection, no strange VPN access, no manipulation of suspicious printing or sending files.
But while testing a PM’s (Project Manager) device, I noticed the “ScreenShare Pro” app – a free screen sharing software, manually installed 2 months ago.
“I use it for demo calls with foreign vendors. They say this software is easier to use than Zoom.” – The PM replied.
⸻
![[Image: 1f9e0.png]](https://static.xx.fbcdn.net/images/emoji.php/v9/t7c/1/16/1f9e0.png){kind=small}
Chapter 3 - Deep Investigation AnalysisI threw away the event logs and found:
• ScreenShare Pro opens the session without warning, lasts 45 minutes
• Meanwhile, the user opens files: Project_Proposal_V4. pptx, DB_Design_Confidential. vsdx
• This app doesn't save meeting logs and doesn't show the red frame to warn about sharing
I teamed up with Wireshark and found:
• It's connecting strange TLS to an unknown address server (running on anonymous VPS)
• The protocol used is proprietary - it can't be decoded, but the traffic is quite large, suitable for visual television
⸻
![[Image: 1f575.png]](https://static.xx.fbcdn.net/images/emoji.php/v9/t6b/1/16/1f575.png){kind=small}
![[Image: 2642.png]](https://static.xx.fbcdn.net/images/emoji.php/v9/teb/1/16/2642.png){kind=small}
Chapter 4 - The user is exploitedI reset my timeline:
1. The seller asks the PM to install screen sharing software "easier than Z"
2. Download PM from external link (not official website)
3. Every time the demo calls, the seller asks "turn on screen sharing of the entire desktop to easily monitor the operation"
4. One of those times - the moment when the PM opens technical documents to copy paste architectural demo
⸻
![[Image: 1f4cc.png]](https://static.xx.fbcdn.net/images/emoji.php/v9/tac/1/16/1f4cc.png){kind=small}
Investigation conclusion• Vector intrusion: Use of trust, forcing victims to install unwanted software
• Behavior: Use screen sharing to record the screen without the need for unique codes or machine hacking.
• Impact level: Leak product architecture, suggest competitors, and convince customers.
⸻
![[Image: 26a0.png]](https://static.xx.fbcdn.net/images/emoji.php/v9/tdc/1/16/26a0.png){kind=small}
Lesson learnedIt’s not the file you send that’s dangerous – it’s what you display.
Modern hackers don’t have to pick locks – they’re waiting for you… Enable sharing at the right time.